U.S. patent application number 13/063216 was filed with the patent office on 2011-07-07 for method for communicating in a network, a communication device and a system therefor.
This patent application is currently assigned to Koninklijke Phillips Electronics N.V.. Invention is credited to Oscar Garcia Morchon, Martijn Maas.
Application Number | 20110164750 13/063216 |
Document ID | / |
Family ID | 42039962 |
Filed Date | 2011-07-07 |
United States Patent
Application |
20110164750 |
Kind Code |
A1 |
Maas; Martijn ; et
al. |
July 7, 2011 |
METHOD FOR COMMUNICATING IN A NETWORK, A COMMUNICATION DEVICE AND A
SYSTEM THEREFOR
Abstract
The present invention relates to a communication system
comprising a first node and second node adapted for communicating
in a network, wherein the first node comprises a first list of
keying materials including a plurality of keying materials, wherein
the second node comprises a second list of keying materials
including a plurality of keying materials, wherein the first node
further comprises a receiver for receiving from the second node a
second node identifier, a controller being arranged for determining
from the second node identifier the position in the first list of
at least one keying material having a common root with one keying
material of the second list, and for generating an encryption key
by means of the keying material having a common root and the second
node identifier.
Inventors: |
Maas; Martijn; (Eindhoven,
NL) ; Garcia Morchon; Oscar; (Eindhoven, NL) |
Assignee: |
Koninklijke Phillips Electronics
N.V.
Eindhoven
NL
|
Family ID: |
42039962 |
Appl. No.: |
13/063216 |
Filed: |
September 8, 2009 |
PCT Filed: |
September 8, 2009 |
PCT NO: |
PCT/IB2009/053918 |
371 Date: |
March 10, 2011 |
Current U.S.
Class: |
380/270 |
Current CPC
Class: |
H04W 84/18 20130101;
H04L 63/0435 20130101; H04W 12/041 20210101; H04W 12/0431 20210101;
H04W 12/0433 20210101; H04L 63/061 20130101 |
Class at
Publication: |
380/270 |
International
Class: |
H04K 1/00 20060101
H04K001/00 |
Foreign Application Data
Date |
Code |
Application Number |
Sep 17, 2008 |
EP |
08305561.6 |
Claims
1. A method for communicating in a network between a first node and
a second node, wherein the first node comprises a first list of
cryptographic elements including a plurality of cryptographic
elements, wherein the second node comprises a second list of
cryptographic elements including a plurality of cryptographic
elements, said method comprising: a) the first node receiving from
the second node a second node identifier, b) the first node
determining from the second node identifier the position in the
first list of at least one cryptographic element based on a common
root with one cryptographic element of the second list, c) the
first node generating an encryption key by means of the
cryptographic element having a common root.
2. The method of claim 1, wherein the cryptographic elements are
keying materials for generating a shared key between the first and
second node.
3. The method of claim 1, further comprising prior to step a), the
step of assigning to each node of the network a list of
cryptographic elements, said list being selected depending on an
identifier of the corresponding node among a plurality of available
lists of cryptographic elements.
4. The method of claim 3, wherein the lists of cryptographic
elements are generated so that any pair of lists comprise each at
least one cryptographic element having a common root.
5. The method of claim 1, wherein the first node determines from
the second node identifier and its own identifier the position in
the first list of at least one cryptographic element based on a
common root without generating the whole composition of the list of
cryptographic elements.
6. The method of claim 3, wherein the lists of cryptographic
elements are generated so that the position of a common element in
two different lists can be discovered without generating the whole
composition of the list of cryptographic elements.
7. The method of claim 3, wherein there is a relationship between
each considered pair of lists and the position in each lists of the
pair of the at least one keying material having a common root.
8. The method of claim 2, wherein the lists of keying materials are
generated as elements of a Finite Projective Plane.
9. The method of claim 8 wherein step b) comprising computing a
second node block identifier as follows: j.sub.2=i.sub.2
mod(n.sup.2+n+1), where j2 is the block identifier of the second
node, i2 the second node identifier and n is the order of the
Finite Projective Plane.
10. The method of claim 9, wherein a first block identifier of the
first node equals j.sub.1=i.sub.1 mod(n.sup.2+n+1), where j1 is the
block identifier, i1 the first node identifier and n is the order
of the Finite Projective Plane, and wherein if the second node
block identifier equals the first block identifier, the position k1
in the first list of the key material having a common root is
obtained as follows: k 1 = i 1 - i 2 n 2 + n + 1 ( mod n + 1 ) .
##EQU00010##
11. The method of claim 10, further comprising, if the second node
block identifier does not equal the first block identifier, the
first node computing k = j 2 - j 1 a 2 - a 1 ( mod n ) ,
##EQU00011## where a2 equals floor(j2/n) and a1 equals floor
(j1/n).
12. A communication node adapted for communicating in a network
with at least a further communication node, wherein the
communication node comprises a first list of cryptographic elements
including a plurality of cryptographic elements, a receiver for
receiving from the further node a node identifier, a controller
adapted for determining from the further node identifier the
position in the first list of at least one cryptographic element
having a common root with one cryptographic element of a further
list of cryptographic elements corresponding to the further node,
and for generating an encryption key by means of the cryptographic
element having a common root.
13. A communication system comprising a first node and second node
adapted for communicating in a network, wherein the first node
comprises a first list of cryptographic elements including a
plurality of cryptographic elements, wherein the second node
comprises a second list of cryptographic elements including a
plurality of cryptographic elements, wherein the first node further
comprises a receiver for receiving from the second node a second
node identifier, a controller being arranged for determining from
the second node identifier the position in the first list of at
least one cryptographic element having a common root with one
cryptographic element of the second list, and for generating an
encryption key by means of the cryptographic elements having a
common root.
Description
FIELD OF THE INVENTION
[0001] The present invention relates to a method for communicating
in a network comprising a plurality of communication devices, to
such devices, and to a system comprising a plurality of such
devices. More specifically, the invention relates to a system of
communication using encryption materials distributed to
communication devices of the network so that they can communicate
in a secure manner.
[0002] This invention is, for example, relevant for sensor
networks, like wireless sensor and actuator networks (WSNs), where
the sensor nodes are low-power, low-cost devices.
BACKGROUND OF THE INVENTION
[0003] Sensor networks, for instance mobile wireless sensor and
actuator networks (WSNs) are used in a wide range of applications.
The size of such networks can vary from tens to several tens of
thousands of nodes. Their nature can be very dynamic, i.e. the
network topology may change over the time. The sensor nodes have to
be very cost-efficient, so they typically have very limited
resources like battery power, communication bandwidth, processing
power, memory, and likewise.
[0004] Security services like confidentiality, authentication,
integrity, and authorization are essential to applications like
medical applications and ZigBee as required by applications such as
patient monitoring or wireless control networks. However, due to
the resource-constrained nature of the nodes, security methods
based on asymmetric cryptography are generally considered
inefficient or infeasible. Therefore, symmetric cryptography is
usually applied to enable the required security services. The
fundamental problem with symmetric cryptography, however, is
key-distribution: how to establish shared secrets in nodes that
need to communicate securely. This problem is particularly eminent
in WSNs, because of their dynamic nature and possibly large
size.
[0005] Thus, key pre-distribution methods have been proposed,
wherein each of the sensor nodes is provided with a set of
cryptographic elements prior to deployment. Once the nodes are
deployed, the cryptographic elements enable them to establish
common secrets on which to base the security services. Two trivial
key pre-distribution methods are loading the same symmetric key in
all nodes offering an optimal scalability, but minimal resilience,
and providing a different key for every possible pair of nodes
offering an optimal resilience, but minimal scalability.
[0006] As a consequence, it is proposed to use a method being a
tradeoff of these two methods. However, when one node wishes to
communicate with a further node, it needs to discover which
encryption element is common to both nodes, by computing the
composition of the further node set of elements and comparing this
further set with its own set of elements. Depending on the number
of different encryption elements in the set of encryption elements,
and on the method for distributing the encryption elements to each
node, this step of discovering the common encryption element may
require a high computation power and a high memory capacity. As a
consequence, this method is not adapted to sensor networks where
nodes have a low capacity.
SUMMARY OF THE INVENTION
[0007] It is an object of the invention to propose a method for
communicating in a network enabling secure communications,
especially in a sensor network.
[0008] It is another object of the present invention to propose a
method for communicating in any kind of networks comprising secure
communications allowing discovering a common encryption element in
an efficient manner.
[0009] To this end, the in accordance with the invention is
characterized in that method for communicating in a network between
a first node and a second node, [0010] wherein the first node
comprises a first list of cryptographic elements including a
plurality of cryptographic elements, [0011] wherein the second node
comprises a second list of cryptographic elements including a
plurality of cryptographic elements, said method comprising: [0012]
a) the first node receiving from the second node a second node
identifier, [0013] b) the first node determining from the second
node identifier the position in the first list of at least one
cryptographic element based on a common root with one cryptographic
element of the second list, [0014] c) the first node generating an
encryption key by means of the cryptographic element having a
common root and the second node identifier.
[0015] As a consequence, the first node does not need to build the
complete set of encryption elements of the further node, and may
deduce from the identifier of the further node which elements are
based on a common root. For instance, if the cryptographic elements
are encryption keys, two keys based on a common root are equal. If
the cryptographic elements are keying materials, i.e. key generator
functions, they are based on a common root if these functions are
determined from a single common key share. For instance, the common
key root may be a bivariant symmetric polynomial.
[0016] In accordance with a second aspect of the invention, it is
proposed a communication node adapted for communicating in a
network with at least a further communication node,
[0017] wherein the communication node comprises a first list of
keying materials including a plurality of keying materials, a
receiver for receiving from the further node a node identifier, a
controller adapted for determining from the further node identifier
the position in the first list of at least one keying material
having a common root with one keying material of a further list of
keying materials corresponding to the further node, and for
generating an encryption key by means of the keying material having
a common root and the further node identifier.
[0018] In accordance with a third aspect of the invention, it is
proposed a communication system comprising a first node and second
node adapted for communicating in a network,
[0019] wherein the first node comprises a first list of keying
materials including a plurality of keying materials,
[0020] wherein the second node comprises a second list of keying
materials including a plurality of keying materials,
[0021] wherein the first node further comprises a receiver for
receiving from the second node a second node identifier, a
controller being arranged for determining from the second node
identifier the position in the first list of at least one keying
material having a common root with one keying material of the
second list, and for generating an encryption key by means of the
keying material having a common root and the second node
identifier.
[0022] These and other aspects of the invention will be apparent
from and will be elucidated with reference to the embodiments
described hereinafter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0023] The present invention will now be described in more detail,
by way of example, with reference to the accompanying drawings,
wherein:
[0024] FIG. 1 is a network according to one embodiment of the
invention
[0025] FIG. 2 is a block diagram of a method for secure
communications from a first node to a second node, according to an
embodiment of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0026] The present invention relates to a method for secure
communications from a first node to a second node in a network. The
present invention is more especially dedicated to wireless sensor
and actuator networks for example used for patient monitoring, e.g.
networks comprising sensor nodes for sensing physical parameters of
a patient, receptor nodes for providing medical staff with the
parameters, and actuator nodes.
[0027] However, it is to be noted that the present invention is not
limited to networks of the like, and can be carried out in any type
of network, used for any technical application.
[0028] A method according to one embodiment of the invention will
now be described in connection with FIGS. 1 and 2.
[0029] A network according to the invention comprises at least two
nodes N1 and N2, each one being provided with an identifier,
respectively called ID1 and ID2. In an embodiment, the network also
comprises a trust center node TC, used for the configuration of the
network and for providing the nodes N1 and N2 with all necessary
information for generating cryptographic keys.
[0030] During operational phase, to ensure the communication
between the first node N1 and the second node N2 of the network,
each of the nodes generates a shared key and uses this key to
encode any communication sent to the other node, or to decode any
communication received from this other node. FIG. 2 describes the
different steps required for the first node to generate a shared
key for communicating with the second node. Similar steps may be
performed by the second node for generating the corresponding
shared key for communicating with the first node.
[0031] In accordance with this example, to generate a key, two
nodes need to be provided with keying material shares, respectively
KM.sup.(ID1) and KM.sup.(ID2) i.e. some information allowing for
key establishment. Each keying material share is generally received
from the trust center TC during a configuration phase or
distribution phase of the network. The keying material shares
provided to the nodes are generated from a root keying material KM,
which is a crypto information only known to the trust center. In
this example the root keying material is a bivariant function, like
a polynomial, and each keying material share is a monovariant
function. Advantageously, the root keying material is a symmetric
bivariant function. It is to be noted that in other examples of the
invention, the keying material shares are multivariate functions or
encryption keys of a symmetric encryption system.
[0032] The method described above is thus not intended to be
applied to a particular node, but can be carried out by any node of
the network.
[0033] When a communication is to be established between the first
node and the second node, the first node receives from the second
node, on step a), the identifier ID2 of the second node.
[0034] In order to discover the shared key for communicating with
the second node, the first node needs to determine, in step b), the
common element of the respective lists of the cryptographic
elements of the two nodes N1 and N2 involved in the communication.
Then, in step c), the node N1 generates a key with this determined
common element, for instance by computing it with help of the
identifier of N2 if the encryption element is a monovariant
function as explained above.
[0035] Indeed, in accordance with 2-resilient key distribution
schemes that can be used in this kind of networks and as introduced
previously, nodes do not share ready-made keys. Instead, nodes are
provided with some node-specific information that allows them to
compute a shared key with any other node on input of that node's
identifier. This node-specific information is derived from a keying
root (KR) and the node-specific share for node i is denoted by
KR.sup.(i). Hence, the different shares KR.sup.(i) are all
different but correlated. This approach is especially interesting
for mobile wireless sensor and actuator networks due to different
reasons including: (i) the resource-constrained nature of wireless
nodes; (ii) the mobility of nodes; (iii) or the low delay
requirements of application scenarios such as patient monitoring or
wireless control networks addressed by the ZigBee Alliance.
[0036] The method of this embodiment of the invention can be
applied to combinatorial key pre-distribution methods. These form
the basis of deterministic pairwise key pre-distribution scheme
(DPKPS), which works as follows. In DPKPS not one but multiple
keying roots are generated. A combinatorial concept is used to
pre-distribute certain sets of keying root shares to the nodes in a
clever way. This combinatorial concept can be a Finite Projective
Plane (FPP) of order n (with n prime) and parameters (n.sup.2+n+1,
n+1, 1), which is defined as an arrangement of n.sup.2+n+1 distinct
elements into n.sup.2+n+1 blocks such that: [0037] Each block
contains exactly n+1 elements; [0038] Every element occurs in
exactly n+1 blocks; [0039] Every pair of blocks has exactly 1
element in common.
[0040] The set of elements is denoted by E={0, . . . , n.sup.2+n}
and the set of blocks by B={B.sub.0, . . . , B.sub.n.sub.2.sub.+n},
where block B.sub.i={b.sub.i,0, . . . , b.sub.i,n}.OR right.E.
[0041] The elements of the FPP correspond to different keying roots
KR.sub.0, . . . , KR.sub.n.sub.2.sub.+n in the system. In the
pre-deployment phase before the operational phase, the sensor nodes
are assigned to a particular FPP block according to the clever
distribution. Here node i (with i .epsilon.{0, 1, 2, . . . }) is
assigned to block with:
j.ident.i (mod n.sup.2+n+1).
[0042] The keying material that a node is provided with consists of
the shares derived from the roots in its particular block. Hence,
node i gets keying material KM.sup.(i):
KM.sup.(i)={KR.sub.b.sub.j,0.sup.(i), KR.sub.b.sub.j,1.sup.(i), . .
. , KR.sub.b.sub.j,n.sup.(i)}
[0043] Note that by the definition of the FPP, all the nodes then
have one common root if they are in different blocks, or n+1 common
roots if they are in the same block. After the nodes are deployed,
a node i.sub.1 that wants to establish a shared key with node
i.sub.2 performs the following key establishment procedure:
[0044] 1. Determine the block identifier j.sub.2.ident.i.sub.2 (mod
n.sup.2+n+1).
[0045] 2. Common root discovery: [0046] a Generate the FPP block
with block identifier j.sub.2: B.sub.j.sub.2={b.sub.j.sub.2.sub.,0,
. . . , b.sub.j.sub.2.sub.,n}. [0047] b Compare the elements of
block B.sub.j.sub.2 with the elements of its own block
B.sub.j.sub.1 (which may be stored to save on computational effort)
to discover the common element b. [0048] c Retrieve the keying root
share KR.sub.b.sup.(i.sup.1.sup.) from the keying material.
[0049] 3. Compute the key from the share
KR.sub.b.sup.(i.sup.1.sup.) and identifier i.sub.2. This can be
done with several methods. For example, the
KR.sub.b.sup.(i.sup.1.sup.) being a monovariant polynomial can be
computed with the value i.sub.2 as variable. In some other example,
this share is segmented in sub polynomials, computed each at
i.sub.2, and then concatenated or combined for instance with an XOR
operand. By definition of the .lamda.-resilient scheme, this key is
equal to the key that node i.sub.2 computes from its share
KR.sub.b.sup.(i.sup.2.sup.) and identifier
[0050] The following table represents an FPP of order n=2 with
parameters (7,3,1). The first column represents block B.sub.0,
corresponding to roots {KR.sub.0, KR.sub.2, KR.sub.4}, the second
column represents block B.sub.1, corresponding to roots {KR.sub.1,
KR.sub.3, KR.sub.4}, etc. According to the clever distribution,
node i (with i.epsilon.{0, 1, 2, . . . }) is assigned to block
B.sub.j with:
j.ident.i (mod n.sup.2+n+1).
##STR00001##
[0051] For instance, node 8 is assigned to block B.sub.1 and
therefore its Keying Material, denoted KM.sup.(8), is given by the
set of shares:
KM.sup.(8)={KR.sub.b.sub.1,0.sup.(8), KR.sub.b.sub.1,1.sup.(8),
KR.sub.b.sub.1,2.sup.(8)}={KR.sub.1.sup.(8), KR.sub.3.sup.(8),
KR.sub.4.sup.(8)}.
[0052] If node 8 wants establish a key with node 14, it follows the
key establishment procedure:
[0053] 1. Determine the block identifier j.ident.14 (mod
n.sup.2+n+1), so j=0.
[0054] 2. Common root discovery: [0055] a Generate the FPP block
B.sub.0={1, 3, 4}. [0056] b Compare to the own (stored) FPP block
B.sub.0={0, 2, 4} to find the common element b=4. [0057] c Retrieve
the share KR.sub.4.sup.(8) from the Keying Material KM.sup.(8).
[0058] 3. Compute the key from the share KR.sub.4.sup.(8) and
identifier 14.
[0059] One of the main issues with this scheme for instance in
combinatorial key pre-distribution methods is step 2 in the key
establishment procedure: the discovery of a shared element in two
FPP blocks. Because of the limited resources, this discovery should
be done as efficiently as possible, i.e., requiring a minimum
amount of computational effort, memory, and code size.
[0060] State-of-the-art methods proceed as described above, i.e.,
by generating the elements of the FPP block, comparing it to its
own FPP block to find a common element, and retrieving the
corresponding share from the keying material. An alternative could
be for nodes to send in addition to the node identifier also the
elements of their FPP block, although this results in a high
communication overhead and authentication problems.
[0061] The essential idea of this invention is based on the insight
that the value of the shared FPP element is irrelevant--only its
position in the respective FPP blocks is needed. So instead of
computing the whole FPP block and comparing it to its own (stored)
block, a node may directly compute from the block identifiers the
position of the shared element in the blocks, and hence the
position of the shared keying root in its keying material.
[0062] In the following, it will be described one of the possible
methods for generating the FPP such that the position of the common
element of each set of cryptographic elements is linked to the
identifiers of the nodes. This method is designed such as to
establish algebraic relations between the positions of the shared
element in the blocks and the respective block identifiers. Then,
in the operational phase, these relations are used to define a
method to directly derive the positions from the block
identifiers.
[0063] The computational effort and code size required by this
method is comparable to the generation of a normal FPP block.
Hence, compared to the current method, this method saves on the
computational effort and code size needed for comparing the blocks
and selecting the common element. Moreover, this method has no
additional memory requirements. This is in contrast to the
previously described method, where nodes permanently store the
elements of their own FPP block and temporarily store those of
other nodes.
[0064] For generating an FPP with parameters (n.sup.2+n+1, n+1, 1)
for n prime, it was proposed to use a set of mutually orthogonal
latin squares (MOLS) that aid in defining which elements are to be
included in which block. This procedure has been adapted to define
a more convenient indexing and arrangement of blocks, and specify
concrete formulas for the generation of these blocks. As a
consequence, it establishes well-defined relations between pairs of
block identifiers and the position of their shared element in these
blocks. These previously lacking relations are then used to specify
a method for determining these positions directly, without the need
for generating and comparing the FPP blocks.
[0065] For the generation of the FPPs, in the deployment phase, for
n prime, it is defined the n.times.n matrix M:
M = ( 0 n - 1 n 2 n - 1 n 2 - n n 2 - 1 ) ##EQU00001##
[0066] The rows and columns of M are indexed from 0 to n-1, so the
elements of M are determined by
M.sub.i,j=in+j for 0.ltoreq.i,j.ltoreq.n-1.
[0067] Define the n.times.n matrices L.sup.(a) for 0 a n-1, also
indexed from 0 to n-1, by:
L.sup.(a).sub.k,l=(ak+l).sub.mod n for 0.ltoreq.k,l.ltoreq.n-1.
[0068] An applicative example, for n=3, we have the matrices:
M = ( 0 1 2 3 4 5 6 7 8 ) , L ( 0 ) = ( 0 1 2 0 1 2 0 1 2 ) , L ( 1
) = ( 0 1 2 1 2 0 2 0 1 ) , L ( 2 ) = ( 0 1 2 2 0 1 1 2 0 )
##EQU00002##
[0069] The construction of the FPP blocks B.sub.0, . . . ,
B.sub.n.sub.2.sub.+n, where B.sub.j={b.sub.j,0, . . . ,
b.sub.j,n}.OR right.{0, . . . n.sup.2+n}, is defined as follows.
[0070] For 0.ltoreq.j.ltoreq.n.sup.2-1 and 0.ltoreq.k.ltoreq.n-1,
the elements b.sub.j,k adopt a value from matrix M. Namely, the
index k indicates the row number of M, while the value
L.sup.(a).sub.k,l indicates the column number, where l=j (mod n)
and a=.left brkt-bot.j/n.right brkt-bot., where .left brkt-bot.
.right brkt-bot. is the floor operator, which for
n.ltoreq.x<n+1, it returns n. Hence, [0071] For
0.ltoreq.j.ltoreq.n.sup.2-1 and 0.ltoreq.k.ltoreq.n-1:
[0071] b.sub.j,k=M.sub.k,L.sub.(a).sub.k,l=kn+(k.left
brkt-bot.j/n.right brkt-bot.+j).sub.(mod n) [0072] For
n.sup.2.ltoreq.j.ltoreq.n.sup.2+n-1 and 0.ltoreq.k.ltoreq.n-1, the
elements b.sub.j,0, . . . , b.sub.j,n-1 are formed by the rows of
M, so:
[0072] b.sub.j,k=M.sub.j,k=(j-n.sup.2)n+k [0073] For
0.ltoreq.n.sup.2.ltoreq.n and k=n, the element b.sub.j,k is defined
by:
[0073] b.sub.j,k=n.sup.2+.left brkt-bot.j/n.right brkt-bot. [0074]
For j=n.sup.2+n and 0.ltoreq.k.ltoreq.n, the element b.sub.j,k is
defined by:
[0074] b.sub.j,k=n.sup.2+k
This construction can be described by the following formulas:
b j , k = { kn + ( k j / n + j ) ( mod n ) for 0 .ltoreq. k
.ltoreq. n - 1 and 0 .ltoreq. j .ltoreq. n 2 - 1 n ( j - n 2 ) + k
for 0 .ltoreq. k .ltoreq. n - 1 and n 2 .ltoreq. j .ltoreq. n 2 + n
n 2 + j / n for k = n and 0 .ltoreq. j .ltoreq. n 2 + n - 1 n 2 + n
for k = n and j = n 2 + n ##EQU00003##
Note that because of the direct computation of the positions, this
FPP construction does not have to be performed by the nodes.
Instead, these relations can be used to directly compute the
position of a common element from the FPP block identifiers. Only
the party that pre-distributes the keying material to the nodes has
to compute the complete FPP.
[0075] For n=3, the construction leads to the FPP depicted in the
following table:
TABLE-US-00001 j 0 1 2 3 4 5 6 7 8 9 10 11 12 k 0 0 1 2 0 1 2 0 1 2
0 3 6 9 1 3 4 5 4 5 3 5 3 4 1 4 7 10 2 6 7 8 8 6 7 7 8 6 2 5 8 11 3
9 9 9 10 10 10 11 11 11 12 12 12 12
[0076] To illustrate the way the elements are selected for
0.ltoreq.j.ltoreq.n.sup.2-1 and 0.ltoreq.k.ltoreq.n-1, consider for
example the column j=5. For 0.ltoreq.k.ltoreq.n-1, the elements
b.sub.j,k take on the value in M with row number k and the column
number equal to value L.sup.(a).sub.k,l. Since here a=.left
brkt-bot.j/n.right brkt-bot.=1 and l=j (mod n)=2, the column
numbers for M are given by column 2 in the matrix L.sup.(1), so 2,
0, and 1. Hence, the values b.sub.5,0, b.sub.5,1, and b.sub.5,2,
are taken from the M's columns 2, 0, and 1, respectively. So
{b.sub.5,0, b.sub.5,1, b.sub.5,2}={2,3,7}, as can be seen in the
following:
L ( 1 ) = ( 0 1 2 1 2 0 2 0 1 ) l = 2 ##EQU00004## M = ( 0 1 2 3 4
5 6 7 8 ) ##EQU00004.2##
[0077] A node with identifier i.sub.1 computes once and stores the
block identifier j.sub.1=i.sub.1 mod (n.sup.2+n+1) and auxiliary
parameter a.sub.1=.left brkt-bot.j.sub.1/n.right brkt-bot.. Note
that unlike before, there is no need for node i.sub.1 to compute
and store the whole FPP block. To establish a shared key with
another node, i.sub.2, the node computes j.sub.2=i.sub.2
mod(n.sup.2+n+1) and a.sub.2=.left brkt-bot.1.sub.2 n.right
brkt-bot.. To determine the positions k.sub.1 and k.sub.2 in the
keying material of the nodes i.sub.1 and i.sub.2, respectively, we
can distinguish the following five cases (without loss of
generality we assume that j.sub.1.ltoreq.j.sub.2).
[0078] 1 j.sub.1=j.sub.2. In this case the two nodes share the same
FPP block and any element in the block can be picked. Picking
always the same element (e.g., the first one) would decrease the
security. Therefore the selected element should depend on the node
identifiers, be uniformly distributed over the n+1 elements, and be
straightforwardly computable for both nodes. This is achieved by
setting:
k 1 = k 2 = i 1 - i 2 n 2 + n + 1 ( mod n + 1 ) . ##EQU00005##
[0079] Note that by definition j.sub.1=j.sub.2 implies that
|i.sub.1-i.sub.2| is divisible by n.sup.2+n+1, so this division is
a cheap operation as it requires no modular arithmetic.
[0080] 2 j.sub.j.noteq.j.sub.2 and a.sub.1=a.sub.2. In this case,
a.sub.1 and a.sub.2 cannot be equal to n, for otherwise j.sub.1
would equal j.sub.2. Hence,
0.ltoreq.j.sub.1,j.sub.2.ltoreq.n.sup.2+n-1 and consequently:
b.sub.j.sub.1.sub.,n=n.sup.2+.left brkt-bot.j.sub.1/n.right
brkt-bot.=n.sup.2+a.sub.1=n.sup.2+a.sub.2=n.sup.2+.left
brkt-bot.j.sub.2/n.right brkt-bot.=b.sub.j.sub.2.sub.,n.
[0081] So the common element is at position n in both blocks, so
k.sub.1=k.sub.2=n.
[0082] 3 a.sub.1<a.sub.2=n+1. Then j.sub.2=n.sup.2 n, and it is
easily verified that for all k.sub.2 we can write
b.sub.j.sub.2.sub.,k.sub.2=n.sup.2+k.sub.2. Moreover, for
k.sub.2=a.sub.1 it holds that:
b.sub.j.sub.1.sub.,n=n.sup.2+.left brkt-bot.j.sub.1/n.right
brkt-bot.=n.sup.2+a.sub.1=n.sup.2+k.sub.2=b.sub.j.sub.2.sub.,k.sub.2.
[0083] Hence, the common element is located at position k.sub.1=n
in block B.sub.j.sub.1 and position k.sub.2=a.sub.1 in block
B.sub.j.sub.2.
[0084] 4 a.sub.1<a.sub.2=n. In this case,
0.ltoreq.j.sub.1.ltoreq.n.sup.2-1 and
n.sup.2.ltoreq.j.sub.2.ltoreq.n.sup.2+n-1. Note that by
construction j.sub.2-n.sup.2 indicates the row of M that defines
the first n elements of block B.sub.j.sub.2, namely
b.sub.j.sub.2.sub.,0, . . . , b.sub.j.sub.2.sub.,n-1. Since for
0.ltoreq.j.sub.1.ltoreq.n.sup.2-1 the first element of block
B.sub.j.sub.1 comes from the first row of M, the second element
from the second row and so on, we find that
k.sub.1=j.sub.2-n.sup.2. Furthermore, the column number in M of
that particular element, given by
L.sup.(a.sup.1.sup.).sub.k.sub.1.sup.,1=(a.sub.1k.sub.1+l).sub.mod
n=(a.sub.1j.sub.2+j.sub.1).sub.mod n, indicates the position
k.sub.2of that element in B.sub.j.sub.2. Indeed, for
k.sub.1=j.sub.2-n.sup.2 and
k.sub.2=(j.sub.1+a.sub.1j.sub.2).sub.mod n we find:
b j 1 , k 1 = k 1 n + ( k 1 j 1 / n + j 1 ) mod n = n ( j 2 - n 2 )
+ ( j 2 j 1 / n + j 1 ) mod n = n ( j 2 - n 2 ) + ( j 2 a 1 + j 1 )
mod n = n ( j 2 - n 2 ) + k 2 = b j 2 , k 2 . ##EQU00006##
[0085] 5 a.sub.1<a.sub.2<n. For
k.sub.1=k.sub.2=((j.sub.2-j.sub.1)/(a.sub.1-a.sub.2)).sub.mod n, we
have a.sub.1k.sub.1+j.sub.1=a.sub.2k.sub.2+j.sub.2 (mod n).
[0086] Then:
[0087]
b.sub.j.sub.1.sub.,k.sub.1=k.sub.1n+(k.sub.1a.sub.1+j.sub.1).sub.mo-
d n=k.sub.2n+(k.sub.2a.sub.2+j.sub.2).sub.mod
n=b.sub.j.sub.2.sub.,k.sub.2.
[0088] Hence in this case, the positions are given by:
k 1 = k 2 = ( j 2 - j 1 a 1 - a 2 ) mod n . ##EQU00007##
[0089] This is the only case where a relatively expensive modular
division is needed to compute the positions. This computation can
be performed by trying k=0, 1, 2, . . . for the equality
(a.sub.1-a.sub.2)k=j.sub.2-j.sub.1 (mod n).
[0090] The above can be summarized in the following algorithm for
the detection of the position of the common element in the FPP
blocks for a node i.sub.1 with another node i.sub.2. Here we assume
that node i.sub.1 has already computed and stored block identifier
j.sub.1=i.sub.1 mod(n.sup.2+n+1) and auxiliary variable
a.sub.1=.left brkt-bot.j.sub.1/n.right brkt-bot.. [0091] Compute
j.sub.2=i.sub.2 mod(n.sup.2+n+1) and a.sub.2=.left
brkt-bot.j.sub.2/n.right brkt-bot.. [0092] Set
A=argmin(j.sub.1,j.sub.2) and B=argmax(j.sub.1,j.sub.2). [0093] If
j.sub.A=j.sub.B then
[0093] k A = k B = i A - i B n 2 + n + 1 ( mod n + 1 ) .
##EQU00008## [0094] Else if a.sub.A=a.sub.B then k.sub.A=k.sub.B=n.
[0095] Else if a.sub.B=n+1 then k.sub.A=n and k.sub.B=a.sub.A.
[0096] Else if a.sub.B=n then k.sub.A=j.sub.B-n.sup.2 and
k.sub.B=j.sub.A+a.sub.Aj.sub.B (mod n). [0097] Else
[0097] k A = k B = j B - j A a A - a B ( mod n ) . ##EQU00009##
[0098] This embodiment of the invention finds application in ZigBee
networks as a key feature that improves the performance of
.lamda.-secure key distribution schemes used to bootstrap security
in resource-constrained wireless nodes for patient monitoring and
distributed wireless control networks. Additionally, this
embodiment can also be applied to improve the performance of those
systems that require the computation of combinatorial distributions
based on finite projective planes (FPPs).
[0099] Other algorithms or definitions of the FPPs could be used as
soon as there exists a relationship between the position in the
list of the elements common to a pair of nodes and their
identifiers.
[0100] WSNs have a huge number of potential applications including
environmental monitoring (e.g. glaciers, fires), metering,
commercial building automation or patient monitoring. In order to
provide a common and interoperable protocol for these WSNs
applications, the ZigBee Alliance is developing a new low data
rate, long battery life, and secure protocol for WSN nodes.
[0101] In the present specification and claims the word "a" or "an"
preceding an element does not exclude the presence of a plurality
of such elements. Further, the word "comprising" does not exclude
the presence of other elements or steps than those listed.
[0102] From reading the present disclosure, other modifications
will be apparent to persons skilled in the art. Such modifications
may involve other features which are already known in the art of
radio communication and the art of transmitter power control and
which may be used instead of or in addition to features already
described herein.
* * * * *